b"                                    Office of Inspector General\n                                   Corporation for National and\n                                            Community Service\n\n\n\n\n    STATUS OF THE CORPORATION\xe2\x80\x99S IMPLEMENTATION\n        OF HOMELAND SECURITY PRESIDENTIAL\n                 DIRECTIVE/HSPD-12\n\n                      OIG REPORT 08-23\n\n\n\n\n                 1201 New York Avenue, NW,\n                          Suite 830\n                   Washington, DC 20525\n                  Telephone (202) 606-9390\n                  Facsimile (202) 606-9397\n\n\n\n\nThis report was issued to Corporation management on September 25, 2008. Under\nthe laws and regulations governing audit follow-up, the Corporation is to make final\nmanagement decisions on the report\xe2\x80\x99s findings and recommendations no later than\nMarch 25, 2009 and complete its corrective actions by September 25, 2009.\nConsequently, the reported findings do not necessarily represent the final resolution\nof the issues presented.\n\x0c                         OFFICE OF INSPECTOR GENERAL\n\n                                      September 25, 2008\n\n\n\nTO:            Ray Limon\n               Chief Human Capital Officer\n\nFROM:          Stuart Axenfeld /s/\n               Assistant Inspector General for Audit\n\nSUBJECT:       Office of Inspector General Report 08-23, Status of the Corporation\xe2\x80\x99s\n               Implementation of Homeland Security Presidential Directive/HSPD-12\n\n\nAttached is the final report on the Status of the Corporation\xe2\x80\x99s Implementation of Homeland\nSecurity Presidential Directive/HSPD-12.\n\nUnder the Corporation\xe2\x80\x99s audit resolution policy, the notice of final action is due by March 25,\n2009.\n\nIf you have questions pertaining to the final report, please contact Jim Elmore, Audit\nManager, at (202) 606-9354 or j.elmore@cncsoig.gov.\n\nAttachment\n\ncc:   William Anderson, Acting Chief Financial Officer\n      Nicola Goren, Chief of Staff\n      Norm Franklin, Director, Personnel Security\n      Sherry Blue, Audit Resolution Coordinator\n\n\n\n\n                   1201 New York Avenue, NW Suite 830, Washington, DC 20525\n                     202-606-9390 Hotline: 800-452-8210 www.cncsoig.gov\n\n                       Senior Corps   AmeriCorps   Learn and Serve America\n\x0c                     Status of the Corporation\xe2\x80\x99s Implementation of Homeland Security\n                                      Presidential Directive/HSPD-12\n\n\n                                                        Table of Contents\n\n\n\nExecutive Summary .............................................................................................................. 1\n\nObjectives, Scope, and Methodology \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. ........................................... 1\n\nBackground ........................................................................................................................... 2\n\nCriteria ................................................................................................................................... 2\n\nResults and Recommendations ............................................................................................. 3\n\nCorporation for National and Community Service Response.................................. Appendix\n\n\n\n\n                                                                      i\n\x0cExecutive Summary\n\nThe Office of Inspector General (OIG), Corporation for National and Community Service\n(Corporation), reviewed the Corporation\xe2\x80\x99s status with regard to implementing Homeland\nSecurity Presidential Directive/HSPD-12 (Directive). The Directive provided for all Executive\nDepartments and Executive Agencies to implement the requirements of the Directive and for\nthe Office of Management and Budget (OMB) to provide implementing guidance. The\nOMB\xe2\x80\x99s implementing guidance excluded Executive Agencies that are also Government\nCorporations from mandatory implementation of the Directive.             Nevertheless, the\nCorporation discussed, with OMB, its plans to \xe2\x80\x9ccomply as much as possible\xe2\x80\x9d if resources\nbecome available.\n\nHowever, resource issues have left implementation and the degree of implementation\nuncertain at this time. As a result, the Corporation is not able to prepare, with reasonable\naccuracy, estimates of the dates for accomplishing milestones that normally would be\nassociated with implementation of projects and programs. We recommended that the\nCorporation prepare an action plan, and periodically advise OMB of implementation status\nso that OMB can meet its tasking to ensure compliance for entities implementing the\nDirective.\n\nThe Corporation in its response (see Appendix) to a draft of this report agreed to prepare an\naction plan when resources for implementing HSPD-12 become available. It also agreed\nthat GSA would notify OMB of the Corporation\xe2\x80\x99s implementation progress because of the\nexisting interagency agreement with GSA. The Corporation\xe2\x80\x99s response met the intent of the\nrecommendations.\n\nObjectives, Scope, and Methodology\n\nInitially, the OIG announced this effort as an audit but later converted the effort to a review\nbecause of the degree of involvement of the General Services Administration (GSA) in the\nimplementation of HSPD-12 at or for the Corporation. The objectives of the engagement\nwere to determine whether the Corporation: (1) implemented HSPD-12 and (2) established\nsufficient management controls to ensure the security of, and restricted access to, the\nequipment, software, information, and materials used in its identification processing\nprogram. The OIG revised the objectives of the engagement upon converting the effort to a\nreview to report on the status of implementation of HSPD-12 at the Corporation so that\nstakeholders would be aware of the Corporation\xe2\x80\x99s efforts.\n\nActions of the Corporation since the inception of HSPD-12 through November 2007 were\nsubject to the review. Information that became available to us in June 2008 is also included\nin this report.\n\nOur methodology included reviews of documentation at the Corporation and Federal\nGovernment Internet sources of criteria from the OMB, Department of Commerce, and the\nGSA. We limited our interviews to Corporation officials mostly within the Office of Human\nCapital, including the Office of Personnel Security.\n\nWe conducted our review from February 9, 2007, through June 30, 2008, in accordance with\nQuality Standards for Inspections (January 2005) issued by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency. An exit conference was held with Corporation management on,\n\n\n\n                                              1\n\x0cAugust 14, 2008, to discuss the issues and recommendations presented in this report. The\nCorporation\xe2\x80\x99s response to the draft report is included as an Appendix.\n\n\nBackground\n\nHomeland Security Presidential Directive/HSPD-12 (Directive), signed by President Bush on\nAugust 27, 2004, required the Secretary of Commerce to promulgate a Federal standard for\nsecure and reliable forms of identification for Federal employees and contractors. The\nDirective also established timelines for executive agencies to implement this standard.\n\nOn January 11, 2007, the Office of Management and Budget (OMB), issued OMB\nMemorandum for Chief Information Officers, Validating and Monitoring Agency Issuance of\nPersonal Identity Verification Credentials (M-07-06). In addition to guidance for executive\nagencies, M-07-06 advised that it had requested the President\xe2\x80\x99s Council on Integrity and\nEfficiency to review agency processes and help ensure they are consistent with the\nDirective and Federal Information Processing Standard 201. We reviewed the status of the\nDirective at the Corporation because of the OMB request to the President\xe2\x80\x99s Council on\nIntegrity and Efficiency. The status of compliance is addressed in Appendix A.\n\n\nCriteria\n\nThe Presidential Directive. The Directive stated that it is the policy of the United States to\nenhance security, increase Government efficiency, reduce identity fraud, and protect\npersonal privacy by establishing a mandatory, Government-wide standard for secure and\nreliable forms of identification issued by the Federal Government to its employees and\ncontractors (including contractor employees). Furthermore, to implement this new policy,\nthe Directive tasked the Department of Commerce, in consultation with certain key\nGovernment officials and the Director, OMB, to promulgate a Federal standard for secure\nand reliable forms of identification.\n\nThe Directive also required implementing agencies to meet several milestones, including:\n(1) not later than four months following promulgation of the Federal standard, the heads of\nexecutive departments and agencies shall have a program in place to ensure that\nidentification issued by their departments and agencies to Federal employees and\ncontractors meet the standard; and (2) as soon as possible, but not later than eight months\nafter the date of the promulgation of the standard, agencies \xe2\x80\x9cshall, to the maximum extent\npracticable, require the use of identification by Federal employees and contractors that meet\nthe standard in gaining physical access to Federally controlled facilities and logical access\nto Federally controlled information systems.\xe2\x80\x9d Departments and agencies were to implement\nHSPD-12 in a manner consistent with ongoing Government-wide activities, policies, and\nguidance issued by OMB, which shall ensure compliance. Subsequently, the Department of\nCommerce issued the Federal standard and OMB issued implementing guidance.\n\nThe Standard. On February 25, the Department of Commerce issued Federal Information\nProcessing Standards Publication 201 (FIPS 201), Personal Identity Verification (PIV) of\nFederal Employees and Contractors (Standard). The Standard was reissued in March 2006\nas FIPS 201-1 and revised with Change Notice 1 in June 2006.\n\n\n\n\n                                              2\n\x0cGovernment-wide Implementing Guidance. OMB issued its initial implementing guidance\non HSPD-12 and FIPS 201 on August 5, 2005, in OMB Memorandum M-05-24,\nImplementation of Homeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a\nCommon Identification Standard for Federal Employees and Contractors. Selected\ninformation and requirements are:\n\n   \xef\x82\xb7   Appendix A, paragraph 1.A. Executive departments and agencies listed in title 5\n       U.S.C. \xc2\xa7 101, the Department of Homeland Security, and independent\n       establishments defined by title 5 U.S.C. \xc2\xa7104(1), and the United States Postal\n       Service are subject to HSPD-12. However, OMB provided that Government\n       corporations, as defined by title 5 U.S.C. \xc2\xa7 103(1), such as the Corporation for\n       National and Community Service, are encouraged but not required to implement\n       HSPD-12.\n\n   \xef\x82\xb7   Appendix A, paragraph 2.B. Covered agencies and departments shall submit\n       implementation plans to OMB by June 27, 2005.\n\n   \xef\x82\xb7   Appendix A, paragraph 7.A. Identify to OMB by August, 26, 2005, those Federally\n       controlled facilities, Federally controlled information systems, and other Federal\n       applications that are important for security and for which use of the Standard (FIPS\n       201-1) in circumstances not covered by HSPD-12 should be considered.\n\n   \xef\x82\xb7   Appendix A, paragraph 5.C. OMB noted that it may not be cost effective for a small\n       department or agency to procure its own products or services and provided for the\n       GSA to identify agency sponsors who will provide a range of services to agencies.\n       The extent and cost of services to be provided will be determined by agreement\n       between the sponsor and the customer agency.\n\nAgency Sponsor. The GSA became one of the agency sponsors that provides HSPD-12\nproducts and services to Federal agencies. GSA\xe2\x80\x99s USAccess Program enables Federal\nGovernment agencies to credential employees, contractors, and affiliates. The GSA\nHSPD-12 Managed Service Office (MSO) is the executive agent responsible for providing\nFederal agencies with interoperable identity management and credentialing solutions that\nprovide end-to-end services to enroll applicants, issue credentials, and manage the lifecycle\nof these credentials. The MSO offers the end-to-end solution as a shared service to Federal\nagencies when agencies sign up through interagency agreements. Although some\nagencies are implementing HSPD-12 without sponsorship, the GSA, through its USAccess\nProgram, already has agreements to provide at least some HSPD-12 services to nearly 67\nagencies, including the Department of Agriculture, Department of Housing and Urban\nDevelopment, and the Corporation. It began issuing credentials for agencies in August\n2007.\n\n\nResults and Recommendations\n\nSponsored HSPD-12 Services to the Corporation. The Corporation entered into a\nmemorandum of understanding (MOU) with the HSPD-12 MSO on September 19, 2006. On\nSeptember 21, 2006, the Corporation provided a reimbursable agreement as a financial\naddendum to the MOU, which provided $10,000 to GSA\xe2\x80\x99s Federal Technology Service, \xe2\x80\x9cTo\nprovide the initial funding for the HSPD-12 Shared Service Provider contract award and\nadministration. Funding for the cost of developing and operating the PMO [Project\n\n\n                                             3\n\x0cManagement Office] is also included.\xe2\x80\x9d The GSA may perform many of the key roles in the\nprocess of issuing personal identity verification credentials.\n\nThe Corporation voluntarily chose to implement the Directive to the extent resources were\navailable but has not yet defined the roles to be performed by Corporation personnel and\nthe separation of duties, which are critical to compliance. The Corporation lacks a written\nplan and milestones for implementation because of the uncertain availability of resources.\n\nThe Corporation\xe2\x80\x99s existing card readers at various physical entry points throughout the\nHeadquarters building were selected early on to be capable, with reprogramming, of reading\nthe GSA-issued personal identity verification credentials, which are planned to be fully\ncompliant with the Directive and implementing standards and guidance.\n\nThe Corporation represented to the OIG that it was not subject to the requirements of the\nDirective. However, the Corporation planned to implement certain elements of the Directive\nand supplementing guidance. Although the Directive is mandatory for almost all Federal\nagencies and departments, its application to the Corporation, which is continuing at this time\nto voluntarily implement the guidance, is uncertain because the OMB did not provide\nspecific guidance for agencies voluntarily opting to implement the Directive. However, by\nelecting to implement the Directive, the Corporation, we believe, must coordinate with OMB\nin order for OMB to meet its mandate to ensure compliance throughout the Federal\nGovernment. The Director, Personnel Security, and an OMB Senior Policy Analyst\ndiscussed by telephone in April 2008 the efforts of the Corporation to implement the\nDirective. The Director, Personnel Security, advised the OIG that OMB agreed that the\nCorporation\xe2\x80\x99s implementation efforts were voluntary. We believe that the Corporation\nshould periodically advise OMB of its implementation status.\n\nOn October 23, 2007, OMB implied in its Memorandum for Heads of Departments and\nAgencies, HSPD-12 Implementation Status, M-08-1, that all implementing agencies may\nneed to have an agreement with OMB concerning agency implementation schedules and\nplans. Although the Corporation has been on a path to voluntarily implement the Directive,\nthe Corporation did not formally notify OMB of its intention to implement the Directive until\nOMB contacted the Corporation in April 2008. Notwithstanding, the Corporation advised us\nin November 2007 that it plans to use GSA\xe2\x80\x99s services to issue fully compliant personal\nidentity validation credentials in calendar year 2008. In May 2008, the Director, Personnel\nSecurity, revised the estimate to calendar year 2009.\n\n\nRecommendations. We recommend that the Corporation:\n\n   1.a. Prepare a tentative action plan for HSPD-12 implementation, including identifying\n        the roles of key figures, separation of duties, and milestones.\n\n         Corporation Response. The Corporation agreed to establish a tentative action\n         plan once it has received the funding resources required to implement HSPD-12.\n\n         OIG Comment. The planned actions satisfy the intent of the recommendation.\n\n\n   1.b. Periodically notify the Office of Management and Budget of the status of its plans\n        to implement HSPD-12.\n\n\n                                              4\n\x0c         Corporation Response. The Corporation stated that its interagency agreement\n         with GSA provided for a turn key implementation of HSPD-12. It also stated that it\n         would notify GSA, once the Corporation has full HSPD-12 funding, and GSA in turn\n         would communicate with OMB regarding the Corporation\xe2\x80\x99s progress.\n\n         OIG Comment. The planned actions satisfy the intent of the recommendation to\n         keep OMB informed.\n\nThis report is intended for the information and use of the Corporation for National and\nCommunity Service, Office of the Inspector General, and the U.S. Congress. However, this\nreport is a matter of public record and its distribution is not limited.\n\n\n\n\nStuart Axenfeld /s/\nAssistant Inspector General for Audit\nSeptember 25, 2008\n\n\n\n\n                                            5\n\x0cAppendix: Corporation for National and Community Service Response\n\x0c                                  NATIONAL&:\n                                  COMMUNITY\n                                  SERVIcEttte\n\n\n                                       SEP 11 2...8\n\nMEMORANDUM FOR STUART AXENFELD\n               Assistant Inspector General for Audit\n\nFROM:                    Raymond Limon\n                         Chief Human Capital Officer\n\nSUBJECT:                 Draft Report on Corporation Implementation of Homeland\n                         Security Presidential DirectivelHSPD-12\n\n\nThank you for your recommendations regarding the Corporation's implementation of its\npersonnel security program. As you correctly indicate in your report, the Office of\nManagement and Budget (OMB) excluded Government corporations from mandatory\nimplementation of the Directive. However, the Corporation still manages a personnel\nsecurityprograrn which attempts to fulfill the intent ofHSPD-12.\n\nIn regards to your two recommendations:\n\nI. Prepare a tentative action plan for HSPD-12 implementation, including identifying the\nrole of key figures, separation of duties, and milestones.\n\n2. Periodically notify the Office of Management and Budget (OMB) of the status of its\nplans to implement HSPD-12.\n\nResource issues have left the implementation and degree of implementation of this\nprogram uncertain at this time. An action plan would be premature. However, the\nCorporation will prepare a tentative action plan once it has received the funding resources\nrequired to implement HSPD-12.\n\nSince the Corporation has entered into an interagency agreement with the General\nService Administration (GSA) to provide turn key implementation of the HSPD-12\nrequirements, we will notify GSA once we have full HSPD-12 funding. GSA in turn will\ncommunicate with OMB on our implementation progress.\n\n\n\n\n                                                     *\n                                                                                       ' US~\n                        1201 New York Avenue, NW    Washington, DC 20525\n                              202-606-5000    *\n                                              www.nationalservice.org\n                                                                                         Freedom Corps\n                        Senior Corps   * AmeriCorps * Learn and Serve America            The President', Call to Service\n\x0c"